Bridging the Gap
Setting up a cost-effective infrastructure to read mobile ID cards
- By Steve Warne
- Oct 01, 2017
The mobile ID revolution is gathering pace, but not everyone
has a smartphone today, and many citizens prefer to carry
a physical card. How do government agencies manage this
transition from physical to mobile, and ensure they can issue
both cards and mobile ID at the same time? How do agencies set
up a cost-effective infrastructure to read mobile IDs with common
devices? It’s still early in this developing story, but the path for the
latest smart card and mobile ID technologies needs to be defined.
The number of physical ID cards distributed by governments continues
to grow, and the security of these cards continues to be improved.
New features make them difficult to forge, particularly when
security features are further enhanced by personalization, and many
countries have deployed electronic identity cards (eIDs) containing
additional security in the embedded chip.
While the use of cards is rising, mobile credentials are also being
developed that deliver a cost-effective and convenient citizen ID
experience. New technologies have enabled these identity credentials
to be enrolled, provisioned and used on mobile devices. They
are securely delivered to citizens’ mobile phones, where they can be
presented in a way that does not compromise security or privacy.
Weighing the Benefits
Mobile credentials offer many benefits, one being that they give citizens
greater control over what identification information they share,
whether in person or remotely. For instance, citizens need not divulge
their name, address or any other identifying information, except age,
to a cashier when purchasing age restricted goods.
Mobile credentials lower deployment barriers by eliminating the
need to create an expensive reader infrastructure. In many cases,
the mobile credential can be verified by another mobile device over
a Bluetooth Low Energy (BLE) or near-field communication (NFC)
connection. This verification process may take place in an on-line or
off-line scenario, with the BLE connection providing additional functionality
for verifying at distances up to about 98 feet.
As mobile IDs are introduced, governments will adapt their single-
purpose use into a multi-service model where a variety of functions
and services are enabled through one mobile device. This will
foster much better communication and interaction between the government
and their citizens.
As attractive as these benefits are, the advent of mobile credentials
should not be considered the end for physical documents. Identity
and travel documents are defined by numerous standards that ensure
commonality of authentication and encryption approaches, which do
not yet exist for digital credentials. It could be several years before
these standards are completed and mobile credentials are widely accepted
as IDs or proof of privilege. Additionally, the functionality and
security of mobile identity relies on the use of smartphones, which
are not universally carried by citizens and the distribution of which
varies greatly across demographics.
The real challenge with mobile IDs, then, is how to deploy them in
such a way as to accommodate their co-existence with physical cards,
today and in the future. One answer is a single infrastructure for issuing
and authentication of both ID types, supported by encryption and
security levels that are at least as high as—if not higher than—those
in established security documents.
One big advantage of supporting both physical and mobile ID
types is that it gives governments the opportunity to implement
strong authentication by having each form factor act as a trust anchor
for the other. As an example, citizens could use their phones to
authenticate their card or passport visually, or possibly read the chip
that is embedded within an order to be issued with a mobile ID for instance.
Additionally, a multi-factor authentication strategy could be
implemented which requires the physical and mobile credentials to
be present to access a secure service such as a person’s health records.
Making the Transition
New technologies need to bridge the gap between the physical credentials
of today and the mobile credentials of the future. They
should enable organizations to issue a physical or mobile credential,
or both, from a single source. They should enable the credentials to be
efficiently authenticated via a single verification infrastructure. This
type of infrastructure could be low-cost and easily distributed, such
as through an app or a simple, low cost hardware device.
With this level of flexibility, a government can, for instance,
issue mobile-enabled ID cards that can be read by simple mobile
phones. Or, it can issue mobile IDs on smartphones that can be
read by bespoke readers with, perhaps, biometrics or other special
functionality. Governments can decide the capabilities they want to
support and how much they want to spend on their infrastructure,
and when, and scale the platform accordingly to deliver incremental
new mobile benefits.
Governments are looking at new approaches to enhance citizen
identity schemes. Physical ID cards will continue to be widely used
as the primary source of identity documentation, at least for now. At
the same time, the use of mobile citizen ID credentials is gathering
pace as governments seek to improve convenience and communication
with their citizens. Making the transition to supporting both ID
types requires smart solutions that meet the requirements of citizens
and governments while still delivering a high degree of security, privacy
and trust.
This article originally appeared in the October 2017 issue of Security Today.